Integrating Cyber Threat Intelligence (CTI) into your cybersecurity program. FAQ
1. What is cyber intelligence
Cyber Threat Intelligence is the process of transforming raw cyber threat data from emerging and existing threat actors into intelligence that is actionable in decision making.
It entails the transformation of raw data such as IP addresses and logs into information (logs of malicious activity) and intelligence (processed and analyzed data
2. What is the difference between threat intelligence and threat hunting?
Threat hunting is the process of actively looking for threat actor’s TTP, threat intelligence is converting any data gathered into actionable points necessary to secure an infrastructure. The aim is to reduce dwell time (the time taken for an organization to detect a breach)
3. What degrees, training or certification do I need to work in CTI?
Is not necessary to have a degree in cybersecurity as many have beat the odds through career change yet a degree in IT will make life easy
Training and Certification. Let me say training is more important as it helps to develop new skills and hone existing skills. To be able to
Working in CTI, skills like threat hunting and modeling is very important. Certifications such as SANS Threat Intelligence Professional and eLearn security threat intelligence professional are both good in any CTI’s portfolio
4. I hear people talk about attribution a lot, what does it mean?
Attribution is threat actor’s signature and behavior. Threat attribution helps to identify threat actors and understand their motivation.
5. Can you explain what threat modeling is and how can we merge this with threat intelligence?
Threat modelling stands in between threat hunting and threat intelligence. it is the process of capturing, organizing an analyzing identifiable information about a threat and threat actor
A successful threat modeling aids effective threat intelligence because the model helps to take actionable and security decisions.
6. What are indicators of compromise, and do they really matter?
Indicators of compromise popularly called IoC is any evidence gathered about a vulnerability or a threat actor. it can be IP address, file type and extension, misconfiguration, and or system bugs to mention but few
It is very important as this is the outcome/result of any threat hunting
7. What would be your top sources and data feeds for cyber threat intelligence?
With my experience so far, I value security blogs feeds such as securityweekbriefing, dark reading, Krebs security and a host of others, forums (deep and dark), telegram, twitter and discord channels, and commercial tools
8. How can one validate information received externally to minimize costs and negative impact of bad intelligence?
Every intelligence is particular to a sector industry, it is not every external information you feed on, understanding strategic intelligence will help a lot, reading end of the year whitepaper from Verizon, AlienVault and a host of others will help to shape focus and go for the right information. It is not every intelligence you feed on, some will add to weight, some are poisonous, some are right. I think at first, every starter in CTI do make this mistake, I did too but asking questions such as how relatable is this intelligence to my organization, what’s the risk value? is my organization running this infrastructure? will help to validate intelligence
9. How can we embed threat intelligence into our cybersecurity program especially tools and process
Threat intelligence can be embedded into cybersecurity program in almost all sections especially in incidence response cycle from preparation through outlining of engagement, detection, and analysis as threat intelligence aids investigation of incidence, Post incidence through active threat hunting to prevent such and also validate IR teams measures put in place, containment, eradication and recovery by security recommendations provision. In this brief description, it may involve malware analyst, penetration tester and incidence response teams, including the SOC operators
10. How can organization leverage on open-source intelligence (OSINT) and human intelligence (HUMINT)?
There are vast open-source intelligence tools that can be used to validate any information gathered. to be double sure, a threat intelligence analyst may relate directly with the threat actor using cyber avatar (If you want to get them, you act, think, and relate like them). OSINT tools are immeasurable and HUMINT is a great skill for every intelligence analyst
11. Can you briefly explain the cyber kill chain?
Cyber kill chain is a threat modeling framework that includes a seven-step attack Lifecyle and gives cyber defenders the chance to limit the likelihood of successful attack. It includes reconnaissance (information gathering), weaponization (means of delivery), delivery (delivers), exploitation (a vulnerability), installation (install malware) command and control (commands remotely) and actions of objectives (perform malicious actions).
12. A lot of data sources for threat intelligence are foreign, are there Nigerian contextualized threat intel source?
Well for now I don’t know of any, but I work with a team at CyberPlural that are working tirelessly to create a Nigeria and Africa context intel tool
13. On establishing threat intel in an organization, do you feel the team should be outwardly focused (what’s happening outside) or internally focused?
I feel both are very important but there is a need to strike a balance to avoid false positive and negative. I think they should start internally while looking externally for indicators of compromise associated with their industry
14. What type of skills will you assign to CTI teams?
It is simple. Threat hunting, threat modelling, malware analysis and threat intelligence
15. What intelligence sources (OSINT), commercial (paid), community can you recommend/worked for you.
Like i said earlier, many OSINT tools work effectively, such as Maltego, inoreader (news feed aggregator), tweetdeck, different forums as they provide platform to learn other tools, paid tools like six gill, recorded future, and community like threat hunter community on discord. These are just few
16. What goals (short or long) do you think should be set for CTI team and how can companies measure growth/maturity of their intel program?
Short goals can be operational intelligence: which is understanding an attacker’s capabilities, TTPs and infrastructure. It can also be Tactical intelligence: understand specific attack and attack vectors
While long term should be Strategic intelligence: dynamically understanding an organization’s threat landscape.
17. What will you advise a company that is trying to establish a CTI program?
Have a framework that incorporate CTI, IR, SOC and Red team (pen testers). The framework will help keep flow of roles and processes intact